Security issue?

[dinfiesta]

Using this simple cgi,

#!/usr/bin/perl

print <<HTML;
Content-type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html">
<link rel="stylesheet" type="text/css" href="../../css/style.css">
</head>
<body>
<table cellspacing="0" cellpadding="0" border="0">
<tr class="subhead" align="Left"><th>Name</th><th>Value</th></tr>
HTML

my $class;

$prueba=system("/bin/ls -laR /var/log");
print $prueba."<br>\n";
foreach (sort keys %ENV) {
next unless /^HTTP_|^REQUEST_/;
$class = ($class ne 'normal')? 'normal': 'alt';
print <<HTML;
<tr class="$class"><td valign="top">$_</td><td>$ENV{$_}</td></tr>
HTML
}

print <<HTML;
</table>
</body>
</html>
HTML

I´m able to browse log files...is there a way to limit this?

 

[atomicturtle]

Not with perl, no

 

[knocx]

is there a way to secure perl run time each part of the server is accessible via perl!

 

[DerFalk]

@atomicturtle
not even with mod_security?

 

[knocx]

mod security only reads querystrings

and it can not monitor hardcoded perl calls i.e

$ mydir = `/bin/ls -l /etc`
print @mydir

...etc

i advice you to disable perl cgi
serverwide or limit access to your critical binaries

 

[chrisl@]

Originally posted by knocx
mod security only reads querystrings

and it can not monitor hardcoded perl calls i.e

$ mydir = `/bin/ls -l /etc`
print @mydir

...etc

i advice you to disable perl cgi
serverwide or limit access to your critical binaries

Any scripting language you give access to your clients is a potential security risk. Not sure you can avoid this unless you give every client there on virtual machine. You will have this problem with PHP and other languages as well, disabling perl does not solve your problem. You will need to disable all CGI which will cripple your clients.

-chrisl

 

[knocx]

perl does not have an access control but php does. i.e safe_mode ..etc

comparing perl and php is not correct they work totally different

 

[atomicturtle]

Right, with php you can at least control what functions are available through php.ini, chroot with open_basedir, etc. With perl its pretty much open to anything you want to do, which incidentally is how you get around things like noexec on /tmp (save badguyfile to /tmp, then perl /tmp/badguyfile).

I guess I should have drilled into this a bit further earlier in the thread, there are some things you can do, but its all quite complicated and not at all flexible. Grsecurity, and SELinux both have the ability to establish "roles" around an account, or an application. So you could create ACL's on what that user (eg, perl apps run as the user) or on the process. On a scale of 1 to 10, I put writing rules for SELinux to do this around 9. GRsec is a bit easier since it has a learning mode, I'd put that around a 6. Ive worked on some generic policies for PSA environments to touch on this specifically, and I've never come up with anything really usable across a lot of systems.

 

[knocx]

hello art what is the best solution with plesk for perl

i used to specially chmod critical dirs to restrict access like /etc , /root, /var ....etc via perl.

however psa users are members of psacln and anyone can easily read the others code
under /./././vhosts and this is annoying.
since some one can easily compromise other clients MySQL password with perl.

i think we need bastille PLESK

any ideas

 

[atomicturtle]

Best is relative, as I said, theres no way to write generic ACL's to do this as safely as you can do in php. In my case, it took less time and effort to just convert anything I was using to php.

 

[knocx]

sure , but the problem is some clients demands perl

 

[0031]

Do not provide mod_perl for them - provide perl as CGI. In CGI mode, due to suexec mechanism, users shouldn't be able to see other users directories content.

mod_perl runs as apache:apache and is not chrooted. Therefore it has access to all files, which apache has.

 

[knocx]

will commenting Module ModPerl on httpd.conf removes mod_perl support globally?

 

[atomicturtle]

you can also just remove the rpm (yum remove mod_perl)

 

[knocx]

hello art; when i try to remove mod_perl

Removing:
mod_perl i386 1.99_16-4.centos4 installed 3.7 M
Removing for dependencies:
frontpage i586 5.0-72psa.centos4.2 installed 30 M
psa i586 8.0.1-centos4.2.build80060613.20 installed 94 M
psa-agent noarch 1.4.1-80060613.20 installed 0.0
psa-api noarch 8.0.1-centos4.2.build80060904.19 installed 2.6 M
psa-api-rpc noarch 8.0.1-centos4.2.build80060904.19 installed 994 k
psa-backup-manager i586 8.0.1-centos4.2.build80060904.19 installed 1.5 M
psa-horde noarch 3.1.2-centos4.2.build80060713.16 installed 23 M
psa-hotfix1 i586 8.0.1-centos4.2.build80060618.11 installed 45 k
psa-hotfix2 i586 8.0.1-centos4.2.build80060713.16 installed 21 M
psa-hotfix4 i586 8.0.1-centos4.2.build80060728.17 installed 213 k
psa-hotfix5 i586 8.0.1-centos4.2.build80060903.14 installed 132 k
psa-imp noarch 4.1.1-centos4.2.build80060613.20 installed 13 M
psa-libpam-plesk i586 8.0.1-centos4.2.build80060613.20 installed 1.2 M
psa-migration-manager i586 8.0.1-centos4.2.build80060904.19 installed 9.9 M
psa-watchdog i586 2.0.1-centos4.2.build80060613.20 installed 2.4 M

i see that there are 16 depentant packages and some of them are core packages like psa

how can you remove mod_perl on a plesk box?